Hi all,

I try to set up a method to retrieve AD users' photo and to active it as Windows 10 user profile's photo.

To do this, I follow this method : https://www.codetwo.com/admins-blog/use-active-directory-user-photos-windows-10/.

In summary :

• Put the script in example into a GPO and put it in logoff script
• In the same GPO, set permission "Full control" for "Builtin\Users" on the registry key that will contain the photo

But it doesn't work for me.

My issue is I cannot find the french equivalent of "Builtin\Users" ("Builtin\Utilisateurs") because it doesn't show in GPO editor, although it appears in AD (fortunately). So as a test I set "AUTHORITY NT\Authenticated users" or "DOMAIN\Domain users", required permissions are correctly set on the key but nothing is imported into it.

How can I see this "Builtin\Users" group ?

I precise that the script runs flawlessly when I execute it in the user context, and no error about group policies execution in the event viewer.

Thank you for your help.

regards,

FXE

We use Group Policy Objects (GPOs) to implement security on our Internet browsers. When one of our end users needs a “webex” type meeting for support from a vendor, they click on the link supplied by the vendor to download the necessary executable to their PC (Win 7 mainly, just starting to roll out Win 10).

In Chrome, they cannot download the executable, it gets blocked.  In IE11 and Edge, they are told it is blocked but after clicking on Retry, (I am assuming the executable has then had time to be scanned and is deemed safe and) has been put in their Downloads folder. However, they cannot run it - in Edge, they get no message, in IE 11 they get a Windows Security Warning “Windows found that this file is potentially harmful. To help protect your computer, Windows has blocked access to this file. Name:  name.exe, OK”.  Using either MS browser, they then have to go to their Downloads folder (a major hurdle for many of our users), find the executable (another big hurdle), right click on it, select Properties, General tab, and click on the Unblock button then the Apply button.

Is there any way to use a GPO to eliminate this step?  Or, is there a security setting we can apply to the Downloads folder of the users that most frequently utilize this type of support, not for every download but for say webex*.exe or bomgar*.exe?

Sorry for this basic question but I need to understand...

When Helpdesk create a new user they copy a template directory. It contains Document sub-folder that user has modify rights to. This is special folder that is actually called My Documents a hang over to the old days

GPO for folder redirection says to create folder under \\server\home

I'm seeing Event Viewer failing to apply Redirection policy because it is trying to create adocuments folder and the user has specifically been set with list rights to the directory only to force them to create their files under their set folders e.g. My Documents. So a lot of W10 machine have their local document properties as C:\users\xxx because the GPO isn't applying and that is probably the out of box setting

First question how does this special folder work when you view it on the host homedrive server (2012 R2) is displays as documents but under sharing is actually called MY Documents

Our user estate is 7 and 10 so I thought easiest way to fix is to simply rename folder from My Documents to Documents but this is going to cause more trouble due to user shortcuts and also GPO for office has "My Documents" as temporary save location

How can I best fix this?

Ian Burnell, London (UK)

Hello All,

is there any Group policy setting where we can make Remote Desktop connection use CA certificates instead of self signed certificates

regards

Aamir

NA

Hi,

it is really very strange.....

1) I created a new GPO on Active Directory, and linked it to an OU.

2) This GPO will be applied only to "User Configuration", and to some selected user accounts.

3) This GPO includes only a small cmd script which should be run during logon of the users.

The script creates a directory, copies some files from a network share, and run an executable file.

I applied GPO, made "gpudate /force", "gpudate /sync", waited for 1 day, again forced GPO to be applied, etc.

If the user logon it occurs NOTHING! The GPO is not applied!

When I run the same script on an Windows Server member server, it runs successful.

Any idea?

Best regards

Birdal

We have a GPO which runs a logon batch file. It is specified under User Configuration/Windows Settings/Scripts/Logon. When a Windows 10 user logs on, they do not receive the drive mappings in Windows Explorer. If you launch command prompt as a normal user and do a NET USE, they are missing.  If you launch command prompt as admin and do a NET USE, all the drives are present.  It's almost as if the script is being run under wrong user context, and the mappings are not showing up for the actual user.

Any ideas?

Thanks!

I am running Windows Server 2012 Standard and my client with the issue is on Windows 10 Pro Version 1703.

I have created a new GPO to schedule a task. I have confirmed the GPO is working and the task has been created on a client with Windows 10 Pro Version 1607. I checked another computer running Version 1703 and it is also having the same problem.

The GPO I have created in under Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks, and my new task is set to update.

The policy is being applied on both V1703 PC's but returns error:

The computer 'Cleanup_Script' preference item in the 'Cleanup_Script {5ADA0CC5-0969-4FF4-B203-85F160979FE8}' Group Policy Object did not apply because it failed with error code '0x80090005 Bad Data.' This error was suppressed.

Is this a bug with the new creators update or has the Group Policies for Scheduled Tasks been changed?

Hi I have a GPO that applies multiple settings under Advanced Audit Configuration, for example we set audit credential validation under account logon to success & failure.  The GPO works fine until we started to test Win 10 v1809.  Those machines show the GPO is applying but not getting any of the settings under Advanced Audit Configuration. When I do a gpresult /h and export to html file it shows all of the other settings in the GPO but has none of the Advanced Audit Configuration setting, doesn't even list it.  1709 machines in the same OU get that same GPO and no issues, all of the Advanced Audit Configuration settings are applying.

Any suggestions?

Trying to standup a new VPN box (Celestix MSA that is essentially a glorified Forefront Threat Management Gateway 2010 system) that uses IPSec, however the GP Network Settings don't have an area to input the preshared key, like the client settings on 7/XP. How do I deploy this with no preshared key option?

I see that's there's a some preshared key options in the IP Security Policies GPs, but will the VPN connection look there for the key?

Hello!

I'd like to ask for help/advice with completing task.

I have AD group called "GS-newAdminsHD". I need to add this group to local administrators group on all computers located in OU (then pc's are located in subOU - about 600 pc's in 74 OU's).

I'm not fluent in powershell. Actually for now I was operate in powershell only to gathering some data from our AD - single, not complicated commands/scripts.

Anyone could help with this? Give any solution to complete this?

Thanks in advance!

I'm trying to create a group policy that will block members of an OU from browsing the network when logged into any machine on the domain. This OU (DEV-OU) contains users who access a published application via RemoteApp and Desktop Connection. When members of this OU have are connected via RD Web, and run the application they can choose to save reports to the computer as a pdf file, HTML, etc. I need to make sure members of this OU can’t browse the network when performing a save-as from the application or when I log in to the local machine. 

PS C:\Windows\system32> gpresult /s rds01 /user Corp\RDWebUser /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2013 Microsoft Corporation. All rights reserved.

Created on 2/8/2019 at 9:49:19 AM



RSOP data for CORP\RDWebUser on RDS01 : Logging Mode
--------------------------------------------------

OS Configuration:            Member Server
OS Version:                  10.0.14393
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\RDWebUser
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=RDS01,OU=My VMs,OU=MyCo Forest (corp.MyDomain.com),DC=corp,DC=MyDomain,DC=com
    Last time Group Policy was applied: 2/8/2019 at 8:27:36 AM
    Group Policy was applied from:      corpdc02.corp.MyDomain.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CORP
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        RDS Endpoint Servers
        RDS Management Servers
        RDS Remote Access Servers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        RDS01$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level
        
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  2

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59058
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                Computer Setting:  1

            N/A

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=PV User,OU=DEV-OU,OU=MyCo CORP Users,OU=MyCo Forest (corp.MyDomain.com),DC=corp,DC=MyDomain,DC=com
    Last time Group Policy was applied: 2/7/2019 at 4:40:51 PM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CORP
    Domain Type:                        Windows 2008 or later
    
    Applied Group Policy Objects
    -----------------------------
        Revoke Network Browse

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Authentication authority asserted identity
        RD Web Users
        Medium Mandatory Level
        
    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Increase a process working set

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Revoke Network Browse
                Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoComputersNearMe
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Revoke Network Browse
                Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoEntireNetwork
                Value:       1, 0, 0, 0
                State:       Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

how do i list out the GP which applied for other users

eg: i am a admin and i need to check the policy which applied for user: bob 

Hi team,

Its a way to control pen drive via GPO , i need allow only pen drives that provided by my company and block other personal pen drive .

Regards

Thevan Shanmugam  

Hi Community,

We have been experiencing a problem with AppLocker GPOs in a Windows 10 Environment.

The Domain functionality level is: Server 2012R2

Domain Controllers are running: Windows Server 2016

Workstations are running: Windows 10 Enterprise Build 17134

We have 2 GPOs; one containing DLL AppLocker Rules and one containing EXE, Script, Appx etc.. Rules.

When running a gpupdate /force on an affected workstation and getting the gpresult the GPOs appear to be applied and are marked as winning however the contents of C:\Windows\system32\Applocker files are not being updated and recent rules added to both GPOs are not being applied. i.e. a new application which has been whitelisted will not run for the user albeit being specified in the applied GPO.

Can someone please shed some light into this issue? 

Help is highly appreciated!

Kind regards,

Jason

I have changed a few group policy settings. 

I could see any changes with /GPRESULT /H GPReport.

Is there any way to change those options with PowerShell script? 

I've been googling about this and cannot find a suitable answer for me. Please give me the instruction on how to edit <g class="gr_ gr_430 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="430" id="430">gpo</g>.

Recently we are seeing an increased number of issues with user's homeshare.

We have configured folder redirection to direct 9 profile folders (Contacts, Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Videos) to %HOMESHARE%\foldername.

That's all the configuration we did.
This seemed to work fine for over a year, but now users are reporting one of the below issues rather frequently.

- When trying to access their home drive (P:) they get an error message that P: is unavailable.
- When trying to open a file that has just been saved, the file is not visible in explorer. (In this case refreshing the Explorer window sometimes works. Or starting a new sync may solve it as well.)
- When accessing the home share, not all files and folders are visible. Only a couple of redirected folders are visible. Any other manually created file or folder is not listed. (Rerunning a sync may solve this sometimes.)

The home folder is configured as \\servername\Home\%USERNAME%.

We have tested a few things already.
- Disabling Offline Files, to force to work online > Does not seem to work. Issue remains, P: unavailable...
- Added a *.tmp sync exclusion as .pst-files were initially the cause of sync errors > Saving files was no longer possible in redirected folders, so we had to remove this setting.
- Changed the folder redirection policy to point to a different share than the home folder and clearing the offline file cache > Issue remained, P: unavailable or not showing all files

Only when we also moved the user's home folder to a different share, the issue went away. (The 2 new shares for redirected folders and home folder have caching disabled. The original Home share has caching enabled.)

It would be great if there was a server side solution (GPO?) to this issue.
Splitting the redirected folders and home folder and moving them to a new location is not something we're aching to do...